Closed synctext closed 2 years ago
Facinating 2012 report from World Economic Forum
To restore trust, this report proposes three separate, but related
questions, which need to be addressed by all stakeholders:
1. Protection and Security: How can personal data be protected
and secured against intentional and unintentional security
breach and misuse?
2. Rights and Responsibilities for Using Data: How can rights
and responsibilities, and therefore appropriate permissions, be
established for personal data to flow in ways that both respect
its context and balance the interests of all stakeholders?
3. Accountability and Enforcement: How can organizations
be held accountable for protecting, securing and using
personal data, in accordance with the rights and established
permissions for the trusted flow of data?
Our government is already conducting various initiatives within this area. See this letter to parlement about the various ongoing matters.
10 principles: http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html active group: http://www.weboftrust.info/ key paper: http://www.weboftrust.info/downloads/dpki.pdf paper: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2016/blob/master/final-documents/reputation-toolkit.pdf paper: https://github.com/WebOfTrustInfo/ID2020DesignWorkshop/blob/master/final-documents/physician-patient-relationship.pdf MIT Pentland paper: explaining slides and .pdf http://dl.acm.org/citation.cfm?id=2867781
Read literature:
Attended events:
W3C is creating a group on self-sovereign Identity matters. However, seems too heavy and leaning towards a browser-only perspective.
Please also read detailed (privacy-minded) crypto papers:
Key paper discussing 15 years of decentralization with 189 citations from the literature {including TribBler} Titled: "Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments"
This paper is a beautiful version of 3 years earlier work by TUDelft students https://cryptome.org/2014/04/tor-vulns-attacks.pdf titled "The fifteen year struggle of decentralizing privacy-enhancing technology"
After 15 years of struggling scientist we now see the emergence of numerous standards group which also make sadly little progress. https://github.com/WebOfTrustInfo/ID2020DesignWorkshop/blob/master/topics-and-advance-readings/DID-Whitepaper.md#decentralized-identifiers-dids-and-decentralized-identity-management-didm
Real patient open dataset:
A sample anonymized data set, including 5,000 patients and 500,000 observations, is available for the following Platform releases (note that demo data for OpenMRS Platform releases and will not work for OpenMRS Reference Application releases)
About self-sovereign IDs.. @qstokkink can you please provide us with a reference to the Stanford paper which is not that popular but seems to have a the right crypto magic we need for key attestation and zero-knowledge proof fun?
Read literature:
Read literature:
Meeting with Idius Felix. He advised me to look for another dmain because I lack domain knowledge about healthcare. He thought my research question was too broad.
Tried to contact Ron van den Bosch (UMCG) but he retired this month.
Felix consult; the electronic patient file does not exist. Spread out across hospital, special clinics, general practitioner, elderly care, etc. Future direction:
ToDo: Learn QT for Android and Python.
Activities:
Medicit input: self-sovereign identity where patient can see all available data, append corrections, control sharing, and control removal. Defined format and medical patient data. Demo app https://mxi.nl/upload/documenten/presentatie_doorontwikkeling_blockchain_zin_izo_mxi.pdf
Next meeting: first QT app, expand with MijnZorgLog basic features. Possible future steps: Trustchain + self-sovereign ID, IPv8. Smartphone becomes your personal medical data server. Problem, reliability, backup, and theft-locking. Brainstorm idea: spread your encrypted patient files among social network. Features: remotely disable, your trustchain locks, trustchain goes into recovery mode, recover with friends (mechanism to support 1-5 friends)?.
This is the Facebook account recovery using trusted contacts:
1 Tap Forgot Password? on the login page.
2 If prompted, find your account by entering your email, phone, username or full name and tap Search.
3 Look at the list of email addresses listed on your account. If you don't have access to any of these, tap No longer have access to these?
4 Enter a new email or phone that you know you can access and tap Continue.
5 Tap Reveal My Trusted Contacts and type the full name of one of your trusted contacts.
6 You'll see a set of instructions that includes a URL. The URL contains a special security code that only your trusted contacts can access. Call your friends and give them the URL so that they can open the link and give the security code to you.
7 Use the security codes from your trusted contacts to access your account.
Please read fascinating thesis from Yesterday. It links various domains, excellent problem description. No code, no engineering. opportunities for blockchain based identities in healthcare THESIS Included illustration, copied from above thesis:
Activities:
Good intros: A threshold key escrow scheme based on public key cryptosystem A Modular Approach to Key Safeguarding
Further reading and implementations: Strength in Numbers: Threshold ECDSA to Protect Keys in the Cloud Threshold Cryptography C Library Practical Threshold Signatures A JCA-based Implementation Framework for Threshold Cryptography
Read literature:
Buzzword bingo for possible thesis title and storyline:
Suggested ToDo:
This morning discussion inspired the following design. Simple party-trick also used in Enigma design by MIT for distributed encrypted storage. Simple designs like this might actually work!
please read https://link.springer.com/chapter/10.1007/978-3-319-67816-0_21
4 Definitions and Threat Model
We consider a setting in which users maintain attributes about themselves and require registrars to
vouch for these attributes. For example, in order to register the attribute “over 18 years old,” a user
reveals their identity to the government, who verifies their age.
Definition 1 (Passive/active verification)
Definition 2 (Attribute integrity)
Definition 3 (Attribute privacy)
Related work on zero-knowledge proof, Nature papers. Zero-Knowledge Nuclear Warhead Verification.
Activities:
The sole focus of this thesis are the following 2 research questions. Numerous other matters can be directly derived from them.
This question can be split into two subquestions:
R1: "How can accountability on access be guaranteed in an EMR?"
R2: "How can entries be validated by a patient as well as a healthcare provider in an EMR?"
do you need double-spending protection in your specific application domain, do you thus need to explain it? Four-part, complex sentence, with a lot of nuance, spread over several parts:
All data requests are evaluated and in case of a positive permission,
secure multiparty computation (sMPC) is used to process patient data without
risking patient privacy
Thesis chapter options
Questions; where to discuss in thesis: GDPR? no PKI yet; Public key are not used yet after 25 years of trying, the problem is central servers, Self-Sovereign Identity is not explained yet in Chapter 2-ish, etc.
Prototype idea: Self-sovereign identity + personal data store is located on your smartphone. record all access patterns and modifications using blockchain technology to produce tamper-proof access logs. This requires numerous support technologies because the user is required to be truly autonomous and should never need to call any helpdesk, for instance, for issues like loss recovery, theft locking, and backups (zero system admins / user managed system).
19Feb thesis draft will be shared with CIO of health ministry of the Kingdom.
Activities:
Improving thesis draft (processing feedback last time + adding literature references + expanding Related Work chapter)
Read student papers Blockchain engineering and Tanzania blockchain presentation
Question: how to incorporate SSI in this. thesis.pdf
completed; in-depth study of related for the topic of:
Next step with the Trustchain app. QR codes are deployed for import and export of tokens.
QR codes are being used in the medical domain Emergency personnel access the emergency information by scanning the QR code with a smartphone.
Commercial provider of in case of emergency info
Another project Health QR code. .
Interaction with medical data using QR-codes. Patent: Using quick response (qr) code to authenticate, access, and transfer electronic medical record information. Prior work: https://en.wikipedia.org/wiki/Health_Level_7 standard
Concrete ToDo for thesis core functionality:
Direction of thesis: implementation of a stand-alone algorithm (like algorithmics master course) not software development.
Clear goals for coming 3 weeks:
Activities last 2 weeks:
Activities:
Activities:
Dedicated prototype. Completely from scratch, without any unneeded features and functionality. solve the deniability problem. Irrefutable, tamper-proof medical records. Mental note, Wolter Pieters ask as 3rd committee member? Much related work, you found 3, but very fresh and immature field.
Todo use library for Joint Random Secret Sharing and get some implementation experience.
form of multi-party agreement in the encrypted domain. Form a group public key and a private key of the group. Additionally can offer 2 out of 3 redundancy. Smart usage within blockchain/trustchain.
Validation of EMR entries means that an entry becomes official only when both the
patient and the health care provider have agreed to the entry. This is similar to a
person sending a registered letter and the recipient signing for delivery. The patient
cannot claim not to know the content of the entry.
The private key is chosen by all the nodes together using Joint Random Secret Sharing
(JRSS). In this technique, each node chooses a random local secret value and
shares it with the group, using Shamir’s Secret Sharing (. Gennaro et al. 1996). Every
node adds all the shares together (including its own), resulting in the joint random
secret share. Just one of the nodes needs to introduce randomness to keep the joint
secret unknown.
I subscribed to this post and saw that you maybe start looking at switching to PyEthereum; I see you guys are trying to do these steps:
This for me sounds like Shamir Secret Sharing; there are currently two projects in the Ethereum ecosystem working on this; Since 31st of May 2018, Kimono released their smart contract on Rinkeby for trustless secret sharing; kimono medium post: https://medium.com/@pfh/kimono-trustless-secret-sharing-using-time-locks-on-ethereum-8e7e696494d
The kimono platform uses a commit and reveal scheme that distributes the secret for each piece of data across a network of peers who share it with the public only once the time-lock is complete. it relies on Shamir Secret Sharing
uPort also has a bounty open for a implementation of shamir secret sharing (sss) in WebAssembly, that is almost complete. https://github.com/uport-project/sss-wasm/pull/2
Roadmap for thesis. Concrete tasks
thesis_6_juli.pdf Activities:
thesis_26_juli.pdf Activities: Created basic login page. Improved prototype by adding working sign functionality. Uploader can check boxes to determine who is required to sign the event. Logged-in user can sign the event, this gets added to the blockchain as well. Made a start with the access monitoring functionality. Some small additions to thesis draft.
next steps
A 74-year-old Latino patient with a history
of hypertension, diabetes mellitus, dyslipidemia,
multivessel coronary and peripheral
arterial diseases, and chronic osteomyelitis
was recently discharged from our hospital
after undergoing several toe amputations.
His hospital course was complicated by
contrast-induced nephropathy that required
hemodialysis; heparin-induced thrombocytopenia;
lower extremity cellulitis; and significant
functional decline.
Activities last month:
Activities last 3 weeks:
Discovered initiatives:
Feedback:
Performance analysis:
Think about more decentralised approach. Can every medical institute run their own portal for login and coordination?
Activities:
implemented kind of Proof of Elapsed Time consensus
coducted some experiments for system without consensus
draft thesis direction
Investigate the revealing of privacy-sensitive attributes of your identity. Should be usable even in the sensitive medical domain with electronic patient files.
First step, find related work in this area (irma, zero-knowledge, zkSNARKs)
For next meeting: gather all general docs, weforum Djuri his thesis, etc. in .PDF form.